Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

NIST 800-92 Log Management Guide in the Real World


Published on

This presentation will introduce the first ever standard on log management - NIST 800 - 92 guide. It will then offer a guide walk through to highlight the critical areas of standardization. The majority of the remaining time will be spent on explaining how to use the guide in the real world if you are a security manager or a security pro.

Published in: Business, Technology
  • Be the first to comment

NIST 800-92 Log Management Guide in the Real World

  1. 1. NIST 800-92 Log Management Guide in the Real World Dr Anton Chuvakin Chief Logging Evangelist
  2. 2. Goals <ul><li>Get a refresher on logs and logging </li></ul><ul><li>Get familiar with NIST 800-92 Guide </li></ul><ul><li>Learn how log standards such as NIST help people “in the trenches” </li></ul><ul><li>Pick a few tips on organizing your log management efforts (if you are a manager) </li></ul><ul><li>Pick a few logging tips (if you are an analyst) </li></ul>
  3. 3. Outline <ul><li>What Logs?  </li></ul><ul><li>From Log Analysis to Log Management </li></ul><ul><ul><li>Log Management for Security and Beyond </li></ul></ul><ul><li>Standards in Logging and Log Management </li></ul><ul><li>Brief NIST 800-92 Walkthrough </li></ul><ul><li>How 800-92 Helps You </li></ul><ul><li>Examples </li></ul>
  4. 4. Log Data Overview <ul><li>Audit records </li></ul><ul><li>Transaction logs </li></ul><ul><li>Intrusion alerts </li></ul><ul><li>Connection logs </li></ul><ul><li>System performance records </li></ul><ul><li>User activity logs </li></ul><ul><li>Various alerts and other messages </li></ul><ul><li>Firewalls/intrusion prevention </li></ul><ul><li>Routers/switches </li></ul><ul><li>Intrusion detection </li></ul><ul><li>Servers, desktops, mainframes </li></ul><ul><li>Business applications </li></ul><ul><li>Databases </li></ul><ul><li>Anti-virus </li></ul><ul><li>VPNs </li></ul><ul><li>Proxies </li></ul>What Logs? From Where?
  5. 5. Security Log Analysis: Why <ul><li>Situational awareness and new threat discovery </li></ul><ul><ul><li>Unique perspective from combined logs </li></ul></ul><ul><li>Getting more value out of the network and security infrastructures </li></ul><ul><ul><li>Get more that you paid for! </li></ul></ul><ul><li>Measuring security (metrics, trends, etc) </li></ul><ul><li>Tracking what the users do </li></ul><ul><li>Incident response (last, but not least!) </li></ul>
  6. 6. Log Analysis: Why NOT <ul><li>“ Real hackers don’t get logged !”  </li></ul><ul><li>Why bother? No, really … </li></ul><ul><li>Too much data (>x0 GB per day) </li></ul><ul><li>Too hard to do </li></ul><ul><li>No tools “that do it for you” </li></ul><ul><ul><li>Or: tools too expensive </li></ul></ul><ul><li>What logs? We turned them off  </li></ul>
  7. 7. Log Analysis Basics: How <ul><li>Manual </li></ul><ul><li>‘ tail’, ‘more’, etc </li></ul><ul><li>Filtering </li></ul><ul><li>Positive and negative (“Artificial ignorance”) </li></ul><ul><li>Summarization and reports </li></ul><ul><li>Simple visualization </li></ul><ul><li>“… worth a thousand words?” </li></ul><ul><li>Correlation </li></ul><ul><li>Rule-based and other </li></ul>
  8. 8. From Log Analysis to Log Management
  9. 9. Why Log Management? Logs Beyond Security <ul><li>Threat protection and discovery </li></ul><ul><li>Regulatory compliance </li></ul><ul><li>Internal policies and procedure compliance </li></ul><ul><li>Internal and external audit support </li></ul><ul><li>Incident response </li></ul><ul><li>Forensics , “e-discovery” and litigation support </li></ul><ul><li>IT system and network troubleshooting </li></ul><ul><li>IT performance management </li></ul>
  10. 10. From Compliance to Logging Standards <ul><li>Log transmission </li></ul><ul><ul><li>Syslog (TCP/UDP port 514) </li></ul></ul><ul><li>Log format </li></ul><ul><ul><li>Syslog, “a non-standard standard” </li></ul></ul><ul><ul><li>IDMEF, a failed standard </li></ul></ul><ul><li>Log contents </li></ul><ul><ul><li>No standard to speak of: logs = trash can – people dump what they want (or: don’t want!) there </li></ul></ul><ul><li>Logging practices </li></ul><ul><ul><li>NIST 800-92 (for security only) </li></ul></ul>
  11. 11. Why Logging Standards? <ul><li>Common language so that people and other systems understand what is in the logs </li></ul><ul><li>Easier to report on logs and explain the reports </li></ul><ul><li>Deeper insight into future problems as indicated by the log data </li></ul><ul><li>Easier system interoperability (thus, reduced cost and complexity) </li></ul><ul><li>Common logging practices simplify audits and compliance </li></ul>
  12. 12. Introducing NIST 800-92 <ul><li>“This publication seeks to assist organizations in understanding the need for sound computer security log management. It provides practical, real-world guidance on developing, implementing, and maintaining effective log management practices throughout an enterprise. “ </li></ul>
  13. 13. NIST 800-92 Walkthrough <ul><li>Introduction to Computer Security Log Management </li></ul><ul><li>Log Management Infrastructure </li></ul><ul><li>Log Management Planning </li></ul><ul><li>Log Management Operational Processes </li></ul>
  14. 14. Computer Security Log Management: Logs <ul><li>“ A log is a record of the events occurring within an organization’s systems and networks” </li></ul><ul><li>“Within an organization, many logs contain records related to computer security ; common examples of these computer security logs are audit logs that track user authentication attempts and security device logs that record possible attacks.” </li></ul><ul><li>“This guide addresses only those logs that typically contain computer security-related information .” </li></ul>
  15. 15. Computer Security Log Management: Process <ul><li>“ Security log management [is] the process for </li></ul><ul><li>generating, </li></ul><ul><li>transmitting, </li></ul><ul><li>storing, </li></ul><ul><li>analyzing, and </li></ul><ul><li>disposing </li></ul><ul><li>of computer security log data. ” </li></ul>
  16. 16. Computer Security Log Management: Benefits <ul><li>“ It helps to ensure that computer security records are stored in sufficient detail for an appropriate period of time. </li></ul><ul><li>Routine log reviews and analysis are beneficial for identifying security incidents, policy violations, fraudulent activity, and operational problems […] </li></ul><ul><li>Logs can also be useful for performing auditing and forensic analysis , supporting the organization’s internal investigations </li></ul><ul><li>Establishing baselines, and identifying operational trends and long-term problems .” </li></ul>
  17. 17. Security Logs vs. Security Logs  <ul><li>Logs from Security Applications </li></ul><ul><li>vs. </li></ul><ul><li>Security Logs from Applications </li></ul><ul><li>A key distinction! </li></ul>
  18. 18. Log Management Challenges <ul><li>“First, there are several potential problems with the initial generation of logs because of their variety and prevalence. </li></ul><ul><li>Second, the confidentiality, integrity, and availability of generated logs could be breached inadvertently or intentionally. </li></ul><ul><li>Finally, the people responsible for performing log analysis are often inadequately prepared and supported.” </li></ul>
  19. 19. Log Management Infrastructure <ul><li>Three Tiers of Log Management Architecture </li></ul><ul><li>Log Generation </li></ul><ul><li>Log Analysis and Storage </li></ul><ul><li>Log Monitoring </li></ul>
  20. 20. Log Management Infrastructure: Buzzwords <ul><li>Parsing </li></ul><ul><li>Filtering </li></ul><ul><li>Aggregation </li></ul><ul><li>Rotation </li></ul><ul><li>Archival </li></ul><ul><li>Compression </li></ul><ul><li>Reduction </li></ul><ul><li>Conversion </li></ul><ul><li>Normalization </li></ul><ul><li>Integrity Checking </li></ul><ul><li>Correlation </li></ul><ul><li>Viewing </li></ul><ul><li>Reporting </li></ul><ul><li>Clearing </li></ul>
  21. 21. Log Management Infrastructure: Tools <ul><li>Syslog-based tools </li></ul><ul><li>SIEM/SIM/SEM </li></ul><ul><li>Where did the host IDS go?  </li></ul><ul><li>Log visualization tools </li></ul><ul><li>General log management tools (e.g. LogLogic ) </li></ul><ul><li>Other tools related to logging </li></ul>
  22. 22. Log Management Planning: Roles <ul><li>“ Who is invited to the party?” </li></ul><ul><li>System and network admins </li></ul><ul><li>Security admins </li></ul><ul><li>CIRTs </li></ul><ul><li>Application developers </li></ul><ul><li>ISOs and CSOs </li></ul><ul><li>CIOs </li></ul><ul><li>Auditors </li></ul><ul><li>And all software buyers </li></ul>
  23. 23. Log Management Planning: Policies <ul><li>Policies need to cover </li></ul><ul><li>“ Log generation </li></ul><ul><li>Log transmission </li></ul><ul><li>Log storage and disposal </li></ul><ul><li>Log analysis“ </li></ul>
  24. 24. Example Policy
  25. 25. Log Management Operational Processes <ul><li>“ Configure the log sources , including log generation, storage, and security </li></ul><ul><li>Perform analysis of log data </li></ul><ul><li>Initiate appropriate responses to identified events </li></ul><ul><li>Manage the long-term storage of log data.” </li></ul>
  26. 26. Log Security Issues <ul><li>“ Limit access to log files. </li></ul><ul><li>Avoid recording unneeded sensitive data . </li></ul><ul><li>Protect archived log files. </li></ul><ul><li>Secure the processes that generate the log entries. </li></ul><ul><li>Configure each log source to behave appropriately when logging errors occur. </li></ul><ul><li>Implement secure mechanisms for transporting log data from the system to the centralized log management servers” </li></ul>
  27. 27. Log Analysis Operational Processes <ul><li>Automation is key! Review logs =/= read logs </li></ul><ul><li>More data is good; context data is better </li></ul><ul><li>There might be some log entries that you’d never understand  </li></ul><ul><li>Analyze to prioritize the efforts </li></ul>
  28. 28. Critical Issue: System-level vs. Infrastructure-level <ul><li>Important separation of responsibilities </li></ul><ul><ul><li>Sysadmin vs. CSO or CIRT </li></ul></ul><ul><ul><li>Local vs. global </li></ul></ul><ul><ul><li>Event vs. incident </li></ul></ul><ul><li>Event response is not the same as incident response </li></ul><ul><li>Typically, event is system-level while incident infrastructure-level (or organization-level) </li></ul>
  29. 29. Manage Long Term Storage <ul><li>A surprisingly hard problem! </li></ul><ul><li>“ Choose a log format for the data to be archived </li></ul><ul><li>Archive the log data </li></ul><ul><li>Verify the integrity of the transferred logs </li></ul><ul><li>Store the media securely” </li></ul>
  30. 30. How 800-92 Helps You! <ul><li>Government (under FISMA mandate) </li></ul><ul><ul><li>Security Manager </li></ul></ul><ul><ul><li>Security Analyst </li></ul></ul><ul><li>Commercial </li></ul><ul><ul><li>Security Manager </li></ul></ul><ul><ul><li>Security Analyst </li></ul></ul>
  31. 31. Government: Manager <ul><li>NIST is voluntary guidance, but FISMA is not (FISMA requires log management): “NIST developed this document in furtherance of its statutory responsibilities under the Federal Information Security Management Act (FISMA) of 2002, Public Law 107-347. “ </li></ul><ul><li>Planning a log management project? Don’t start from scratch – start from NIST 800-92! </li></ul><ul><li>Log management touches the whole enterprise, and the guide explains how to involve other teams , not just security </li></ul>
  32. 32. Other: Manager <ul><li>NIST 800-92 might not apply to you directly, but why ignore good advice ? </li></ul><ul><li>Planning a log management project? Don’t start from scratch – start from NIST 800-92! </li></ul><ul><li>Compliance drives log management: NIST guide covers a compliance-friendly way of doing log management (and it helps justify management decisions) </li></ul>
  33. 33. Government and Other: Technical <ul><li>The guide is mostly about process , less bits and bytes … </li></ul><ul><li>Log collection configuration guidance: how to solve “what to log question” </li></ul><ul><li>Log analysis tips, including prioritization </li></ul><ul><li>Storage conundrum : not as simple as sounds </li></ul><ul><li>What to do about log security ? </li></ul>
  34. 34. Example: NIST 800-92 and PCI Compliance <ul><li>Retail organization log management project driven by PCI DSS </li></ul><ul><li>Log management in Requirement 10 and beyond </li></ul><ul><li>NIST guide for tool selection </li></ul><ul><li>NIST guide for template policies </li></ul><ul><li>NIST guide for ongoing project success </li></ul>
  35. 35. Take These Home with You!! <ul><li>Find the critical systems where logging is essential </li></ul><ul><li>Enable logging! </li></ul><ul><li>Read the NIST 800-92 guide (at least the parts needed) – get it on the NIST site </li></ul><ul><li>Involve different teams in logging initiatives </li></ul><ul><li>Look at your logs! You’d be happy you started now and not tomorrow </li></ul><ul><li>Automate log management </li></ul>
  36. 36. Thanks for Attending! <ul><li>Dr Anton Chuvakin, GCIA, GCIH, GCFA </li></ul><ul><li>Chief Logging Evangelist </li></ul><ul><li>LogLogic, Inc </li></ul><ul><li> </li></ul><ul><li>See for my papers, books, reviews </li></ul><ul><li>and other security resources </li></ul><ul><li>Also visit my blog at </li></ul>